HIPAA Core Policy: HIPAA Administration

HIPAA Core Policy: HIPAA Administration

Abstract:
This policy ensures that UAB covered entities implement certain human resources requirements to protect against the wrongful use or disclosure of protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act ("HIPAA") and Alabama state law.
Effective Date:
6/7/2016
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

​1. PURPOSE: To ensure that UAB covered entities implement certain administrative requirements to protect against the wrongful use or disclosure of protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and Alabama state law.

2. PHILOSOPHY: UAB values and promotes business practices among its covered entities and all members of their workforces to provide privacy and security of PHI.

3. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Office of Benefits, and other UAB entities that may be added from time to time) and to the following UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time to time. For purposes of this policy, UAB and UABHS Covered Entities shall be collectively referred to as “UAB.” 

4. DEFINITIONS: UAB adopts the definitions set forth in the HIPAA regulations at 45 CFR Parts 160, 162, and 164.

5. POLICIES:

5.1. Identifying HIPAA Covered Entities

5.1.1. When a new unit, department, or clinic is established, Legal Counsel will assess and deterine whther or not the new entitie will be designates as a HIPAA covered entity, according to the definition and other guiding documentation provided by the Federal HIPAA regulations.

5.1.2. Upon review of a HIPAA Privacy Core Policy, Legal Counsel and the Privacy Officer will reassess each UAB HIPAA covered entity identified in the "applicability" section of the policy to ensure that each continues to qualify as a HIPAA covered entity.

5.2. Personnel Designations 

5.2.1. UAB shall designate a HIPAA Privacy Officer who is responsible for maintaining the policies and procedures regarding health information privacy. The Privacy Officer will work with the UAB HIPAA Covered Entities’ Entity Privacy Coordinators to communicate and implement these policies and procedures.

5.2.2. UAB shall designate a HIPAA Security Officer who is responsible for maintaining the policies and procedures regarding health information security. The Security Officer will work with the UAB HIPAA Covered Entities’ Entity Security Coordinators to communicate and implement these policies and procedures.

5.3. Workforce Training

5.3.1. UAB shall train all members of its HIPAA Covered Entities’ workforces on its HIPAA-related policies and procedures. 

5.3.2. This training is required for all workforce members of a UAB HIPAA Covered Entity. It should be completed within the first 30 days (for VIVA, 60 days) of employment or assignment.

5.3.3. Successful completion of this training will be documented.

5.4. Disciplinary Actions

5.4.1. UAB, through its various Human Resources Departments, shall apply disciplinary actions against members of the workforce who fail to comply with UAB’s HIPAA policies and procedures or applicable laws regarding PHI.

5.4.2. The Human Resources Departments will consider all relevant factors in determining the nature and severity of the disciplinary action: the type of violation, the intent of the workforce member at the time of the violation, and the number and frequency of any prior violations. Cumulative disciplinary actions may be imposed on an individual who commits more than one violation.

6. REFERENCES: None

7. SCOPE: This standard applies to all UAB Covered Entities and to UABHS Covered Entities identified in Section 3.

8. ATTACHMENT: None 

To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.